Tor is released: almost stable!

by nickm | April 5, 2017

Tor fixes a few remaining bugs, large and small, in the 0.3.0 release series.
This is the second release candidate in the Tor 0.3.0 series, and has much fewer changes than the first. If we find no new bugs or regressions here, the first stable 0.3.0 release will be nearly identical to it.
You can download the source code from the usual place on the website, but most users should wait for packages to become available over the upcoming weeks. There should be a new Tor Browser alpha release containing Tor some time later this month.
Please note: This is a release candidate, but not a stable release. Please expect more bugs than usual. If you want a stable experience, please stick to the stable releases.

Changes in version - 2017-04-05

  • Major bugfixes (crash, directory connections):
    • Fix a rare crash when sending a begin cell on a circuit whose linked directory connection had already been closed. Fixes bug 21576; bugfix on Reported by Alec Muffett.
  • Major bugfixes (guard selection):
    • Fix a guard selection bug where Tor would refuse to bootstrap in some cases if the user swapped a bridge for another bridge in their configuration file. Fixes bug 21771; bugfix on Reported by "torvlnt33r".


  • Minor features (geoip):
    • Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2 Country database.
  • Minor bugfix (compilation):
    • Fix a warning when compiling hs_service.c. Previously, it had no exported symbols when compiled for libor.a, resulting in a compilation warning from clang. Fixes bug 21825; bugfix on
  • Minor bugfixes (hidden services):
    • Make hidden services check for failed intro point connections, even when they have exceeded their intro point creation limit. Fixes bug 21596; bugfix on Reported by Alec Muffett.
    • Make hidden services with 8 to 10 introduction points check for failed circuits immediately after startup. Previously, they would wait for 5 minutes before performing their first checks. Fixes bug 21594; bugfix on Reported by Alec Muffett.
  • Minor bugfixes (memory leaks):
    • Fix a memory leak when using GETCONF on a port option. Fixes bug 21682; bugfix on
  • Minor bugfixes (relay):
    • Avoid a double-marked-circuit warning that could happen when we receive DESTROY cells under heavy load. Fixes bug 20059; bugfix on
  • Minor bugfixes (tests):
    • Run the entry_guard_parse_from_state_full() test with the time set to a specific date. (The guard state that this test was parsing contained guards that had expired since the test was first written.) Fixes bug 21799; bugfix on
  • Documentation:
    • Update the description of the directory server options in the manual page, to clarify that a relay no longer needs to set DirPort in order to be a directory cache. Closes ticket 21720.


Please note that the comment area below has been archived.

April 05, 2017


Using the stable branch, not familiar to 3.0 features...

is there a big upgrade on hidden services on 3.0+??? no more truncated SHA1 addresss? full sha256 address to thwart fake onion sites??? really waiting for a decent onion address to Ricochet...

April 06, 2017


Hi Nick, this looks like a sweet release, and thanks for the excellent work. I was curious about the latest financial reports for The Tor Project, which only cover the period through the end of 2014 on the website. Do you know when the organization's 2015 and/or 2016 IRS 990 forms or audited financial statements will be made available? Thanks!

April 07, 2017


As a User of the "Expert Bundle" for Windows, wouldn't be possible to include some update mechanism for this package, too?

April 07, 2017


Please can we have a page explaining more about all these different versions. I find the differences between 0.3.05 and 7.02 so confusing.


April 08, 2017


The ClientOnly option in the manual says "This config option is mostly unnecessary: we added it back when we were considering having Tor clients auto-promote themselves to being relays if they were stable and fast enough." Can anyone provide a link to this discussion?

April 11, 2017


We could look at developing an open source community whitelisting/blacklisting initiative that could be contributed to.

If you wanted to block (just for example) we could use the cryptographic proof of identity to check http://expyuzz4wqqyqhjn.onion/ and expand on torrc, or develop a plugin to perhaps add an option to block verified fake onion sites, leaving open the option for community members to ensure that fake reports aren't then overly abused.

As blocklists can be added to routers such as (as an example),
It may be possible to develop an improved implementation using the cryptographic proof of identity.

Bypass exploiting attempts would have to kept in mind and hardened against. Eventually, with the increasing power capability of routers, it may be possible to develop packages that add support to something like DD-WRT for example.

April 15, 2017


[Moderator: the thread
doesn't allow comments? Please post here.]

@ Tor Project people:

The arrest of Dmitry Bogatov is very troubling, particularly following on the heels of similar arrests of Tor exit node operators in the USA. Also troubling is the bizarre phrasing of the official statement which appears to suggest that TP thinks Bogatov might actually be guilty of a crime, which does not appear to be the case.

Here's what can be gleaned from information on line (about 2/3 from official RU government sources, which have to be read as propaganda similar to US "mainstream media", and 1/3 from Tor node operator lists):

o Bogatov is 25 years old, teaches math at Finance and Law University in Moscow, and also volunteers as a Debian maintainer and Tor exit node operator,

o Through early Apr 2017, Bogatov was running an exit node from his home, fingerprint 2402CD5A0D848D1DCA61EB708CC1FBD4364AB8AE

o RU has about forty exit nodes; each day about a quarter million Russians use Tor,

o In a previous incident, Bogatov's electronic devices were seized by the security police on 2 Feb 2017, but he was apparently not arrested or charged, and after two weeks the devices were apparently returned to him,

o On Sun 26 Mar 2017 about 1000 people, including the popular opposition politician, Alexei Navalny

and several Western reporters, were arrested during a huge "unauthorized" anti-corruption protest in Moscow:…

o this was the largest opposition protest in RU in five years, and appears to have greatly alarmed the oppressive government of V. Putin,

o Navalny has been arrested many times previously, and has been convicted in RU courts under apparently trumped up charges; in Feb 2017 the European Court of Human Rights (ECHR) ordered the Russian government to pay him damages for his mistreatment in 2012

o After (separate) cases were decided against them, both RU and US governments have stated they will no longer recognize the ECHR,

o Russian opposition groups immediately responded to Navalny's 26 Mar 2017 arrest by calling for another protest to be held the following Sunday, in order to demand Navalny's release,

o On Tue 28 Mar 2017, someone using the handle “Airat Bashirov” allegedly posted, via Tor--- with the exit node in the Tor circuit just happening to be Bogatov's exit node, a message urging people to bring incendiary devices to the protest planned for 2 Apr 2017,

o On Sun 2 Apr 2017, about 100 "unauthorized" protesters attempted to march to the Kremlin, but security police systematically arrested everyone who had been present at the previous protest:

o Bogatov was apparently not arrested and may not have been present at this protest march, but his node vanished on Wed 5 Apr 2017,

o Bogatov was arrested at his home on Thu 6 Apr 2017, and interrogated all night. His computers, USB sticks, smartphones, cameras and all other electronic devices were seized (again).

o On Mon 10 Apr 2917, Bogatov was charged in Presnensky Court (Moscow) with inciting terrorism under Article 212. He pleaded not guilty, but is facing up to 7 years in prison. The authorities ordered that he be held for another two months in preventative detention while the case against him proceeds,

o “Airat Bashirov” was still posting on 11 Apr 2017, suggesting that he cannot be Bogatov, who has been in nail since 6 Apr 2017. Bogatov's lawyer. Vladimir Lebedev, has pointed out that the person using this handle has posted messages via Tor which were sent on into "the clearnet" via other exit nodes, including nodes outside Russia; only one was sent on from Bogatov's node.

o The legal issue here is exactly that studied in this EFF whitepaper:…

o Possibly because they recognize that IP address is not a valid means of identification, the Russian authorities specifically stated that Bogatov was "identified" [sic] as the author of the "incitement" post using *stylometry*; however this technique is also dubious at best,

o Lebedev provided surveillance videos (irony!) from supermarkets showing his client shopping with his wife at the time the "incitement" post was allegedly sent from his exit node, suggesting that Bogatov did not send the offensive post.